Klaus Mochalski
Hello, and welcome to a new episode of OT Security Made Simple. My guest today is Marguerite Behringer. She's Director Regulatory Policy at Landis+Gyr. But, Marguerite, why don't you introduce yourself to our listeners and explain a little bit of what your job is over at Landis+Gyr.
Marguerite Behringer
Sure. Thanks for having me here today, Marguerite Behringer. My title with Landis+Gyr is Director of Regulatory Policy and Industry Relations. I focus on our North American market but also work with our global colleagues on some of our broader strategy and understanding of regulatory issues. I'll often say that I wear three hats. The first one is the traditional government affairs role, where I am interacting with federal and state legislators and folks who are running the Department of Energy and the like. I work also in my second hat with the state regulators. That's going to be our public service commissions, those who are making decisions about utilities, investor-owned utilities, primarily annually. Then finally, I have our industry relations hat, which is working with our trade associations, making sure that we are fully plugged into the different activities, filing comments where necessary, and most importantly, supporting our customers and representing their needs to both trade associations, regulators, legislators, grant writers, and all of those in-between.
Klaus Mochalski
Sounds like a lot to do. Very interesting, though. We definitely want to touch a little bit on the regulatory part. We're planning to look at regulations regarding cybersecurity in the US market. But before we dive into that, can you tell our listeners what's your perception of the status quo of cybersecurity in the US IoT market, particularly regarding smart meters and smart meter infrastructures?
Marguerite Behringer
Absolutely. Well, first and foremost, it's worth noting that with regard to smart meters, there are actually limited cybersecurity regulations that are federally implemented right now because the majority of federal regulations are focusing on the bulk power system or what is known as critical infrastructure. And let's be clear, we are all quite familiar that the distribution grid is a critical component. This is where we're delivering electrons to your home front door. We're operating your refrigerators, your medical devices, and smart meters are helping to understand how energy is used, where outages are, and how to use analytics and AI and other control systems to actually work on distribution, management, demand reduction, and similar programs. So most of the federal programs that you're going to see in regulations around cybersecurity are going to be a level above smart meters. And that means that because the distribution grid is regulated by state commissioners, you're going to have individual requirements that vary state by state, utility by utility. Now, mind you, some of that is changing. In particular because the federal government has invested substantial money into cybersecurity research through the Inflation Reduction Act, the Infrastructure Investment and Jobs Act, and also the Chips and Science Act, most notably. And all of these programs have really infused a bunch of money into different R&D programs. So we're seeing an increased attention towards the distribution grid. We're seeing folks like the National Regulators Association, as well as the Department of Energy Cybersecurity Office. We're looking to define rules and baselines for the distribution grid, cybersecurity. We've also seen some pending legislation that looks to harmonize and address some of this as well. The other thing that I'll note regarding status quo is that cybersecurity regulations and reporting requirements in the US are notoriously redundant and confusing. And that was actually proven this year by a study conducted by the Government Accountability Association, and that looked at cybersecurity harmonization. And this office found four different federal agencies established requirements for states in securing data, but as many as 50 to 80% of these requirements are redundant. So there's a lot of interest in the federal government in making sure that these rules are actually a little bit more clear, making sure that they're a little bit more concise. But what happens with the Trump presidency incoming and how cybersecurity is addressed remains to be seen.
Klaus Mochalski
Yeah, this would have been my next follow-up question, of course, with the Trump presidency coming up, how will the new administration deal with that? So of course, I understand that you're expecting that regulation will become clearer, maybe less redundant, but this could change entirely because we understand over here that from what the administration is planning to do is making federal government, if anything, then less influential. The question is, what would the impact on cybersecurity be? Could it be a positive impact even?
Marguerite Behringer
Yeah, absolutely. I see two main possibilities with the Trump administration. The first is that Trump has made very clear that he's interested in deregulation. He's interested in gutting the authority of the Environmental Protection Agency. He's interested in levying and increasing the ability for Supreme Court, undoing some of the regulations from the Department of Energy. And he's also boasted that he plans on cutting all funding related to the Inflation Reduction Act. And that's primarily going to impact tax credits for clean energy, grant programs for carbon reduction programs, electric vehicles, and other similar things. So on the one hand, we could see some of the money that's dedicated towards research and development and even devising some regulations for cybersecurity gutded. On the other hand, some of that authority actually lives in Congress. Congress is the one that's going to be identifying where the dollars are going. They do tax and budgeting reform, and so it's going to be in their hands to decide exactly where those dollars get budgeted. And no less, cybersecurity is something that is a bipartisan issue. In the Trump office, we did see an executive order on AI. We saw some movement on cybersecurity, and Trump is very much an isolationist and socialist view. We want to put America first and remove some of our connections to the outside, or I guess, reliability, reliance on other countries. And so what that could mean is that we actually see more investment not only in defense, but also in I'm looking at cybersecurity. The Office of Cyber Security, Energy Security, and Emergency Response, or CESER, is a DOE-funded office. We could see some shifts in how the CESER offices run and what their focus is on. But nonetheless, I do believe that it's a bipartisan issue, and I don't see major cuts coming, but I do see that change is inevitable.
Klaus Mochalski
What we discussion here, a political discussion here in Europe, I would say, is Europe needs to basically answer to the changes that everyone expects with the incoming presidency, that Europe needs to take on more responsibility. Don't rely too much on the US as helping out in different areas, like in military conflicts and otherwise. So this could also be a good thing for our own responsibility. Could a similar thing happening in the US market with the states taking more responsibility as federal legislation might be delayed or not coming at all?
Marguerite Behringer
I think that's exactly right. Yes. We're definitely going to see in a Trump presidency, a move to states' rights, state autonomy and responsibility. There's definitely a lot of benefits to that, right? Because every state is different. We used to say in my old consulting gig, every state is its own special snowflake. They've got different regulations, different landscapes, different weather issues, reliability issues, issues, economic issues as well. And so we're going to definitely see a turn towards states rights and a turn towards just trying to make sure that we're not reliant on other countries. There's definitely a lot of particular focus and concern about Chinese connections. And so incoming President Trump has said that he's interested in levying a 60% tariff on all Chinese imported goods. And anyone who's in the smart grid space knows that the way that the smart works is often powered through computer chips, through computer board parts that come from either China or Taiwan or Vietnam. And therefore, we're likely to see our entire supply chain impacted by this. And no less, we're also going to see a move towards all countries starting to focus more on some of their cybersecurity approaches. And I do know, I'm glad you mentioned the way that Europe is reacting because some of what we're talking about today is framed around the European Union Cyber Resilience Act, which is looking particularly at addressing the lack of cybersecurity and consumer IoT products, looking at the lack of updates or patches to address vulnerabilities. And this particular act is actually allowing for fines and penalties for violators, unlike the program in the United States. And so that is something that will definitely be changing within the European Union itself, and no less, where we can still expect that individual countries will have their own approaches, right?
Klaus Mochalski
Right. Okay, so I think we can agree politically the next months are going to be very interesting, and we have to stay tuned and see what's coming. But let's take a step back and look a little bit at the cybersecurity or the regulatory situation that we face in the US market right now. You mentioned that for the electricity grid, for distribution networks, the regulation so far focused more on the core of the network itself, so things like substations and control systems systems, but not so much on the edge devices like smart meters. Have there been, to your knowledge, any incidents affecting these edge devices, either in smart meter infrastructures or even in wider IoT systems like battery systems or PV systems that we find as part of the electricity grid today in US?
Marguerite Behringer
So today, I would say that there's no major high-profile infiltrations that have happened to date. We are a member of the EISAC, which is an organization that is tracking vulnerabilities and disruptions to the power grid and reporting that to stakeholders to try and understand where some of these come from. Of course, that information sharing is something that is, in fact, a goal of the United States, and our general approach is trying to make sure that we are doing more information sharing. There actually was a ruling from the Security Exchange Commission last year that requires companies that are traded on the US stock market to file information on their cybersecurity plans as part of their annual reports, as well as significant file information with them on significant breaches. And significant breaches is something that's been controversial, right? What makes a breach actually significant, how much disruption is caused, and how granular do we want to get, or do we want to save some red tape by not getting ultra granular? And so I think that the actual... I actually even had a Commissioner last week ask me, What is the real true risk of IoT devices and WiFi devices? And indeed, have there been examples? And I said that I said to him, Well, the problem is that many of these consumer-based devices have weak passwords. They don't have accurate cybersecurity protocol that they need to follow. And therefore, there is an easier portal for hackers to get through consumer devices into potentially the electric grid. But that's why companies like Landis+Gyr are thinking about grid edge cybersecurity. It's why, as I mentioned, the National Association of Regulatory Utility Commissioners, NARUK, and the Caesar Office are working on that baseline report for cyber security for the distribution grid. Then we're seeing tens of millions of dollars in federal government funding, looking at other programs for clean and distributed energy cyber security research. And all of these together are trying to make sure that we essentially get ahead of the game because we know, especially as quantum computing and AI are also advancing, that the risks continue to grow. But I'm not familiar with specific breaches today, but it's possible that there are some that have not been required to be reported because they are not as regulated as the bulk power system, if that makes sense.
Klaus Mochalski
Yeah, absolutely. And this is similar to the situation here in Europe. There have been very few publicly or published incidents that happened over the past years. Surprisingly few. The question always is, and I had many discussions also with guests on this podcast, why is that? Because from our own security assessments, we know and we understand that there are many exploitable vulnerabilities in systems of various kinds, and it wouldn't be very difficult to attack these infrastructures. But we don't see this is happening. I don't want to speculate here, but there have been a couple of episodes, and I invite the listeners to dig a bit deeper in the history of this podcast, and we had some interesting discussions here. But let's get back on security for IoT systems. You mentioned the problem with consumer devices, and I fully agree. That's a bit of a mess because there are commercial constraints that you have in these devices. But if we look specifically at smart meters, you're with Landis+Gyr, and Landis+Gyr is in the business of building smart meters. What do you think of improving or increasing device certification requirements? Europe, especially Germany, has been always big on device certification, smart meter certification. This has really hampered the smart meter market here in Germany for many, many years. Different from other countries in Europe, that is, where we have seen rollouts of smart meters over the past 10 years, and some are currently in the second rollout wave. And in Germany, we are still struggling with the initial rollout. The situation in US is somewhat different. So is device certification something good or something bad, or is it somewhere in between?
Marguerite Behringer
Well, when it comes to labeling and certifying, there's a lot of different perspectives in the industry on the best way to do this right. I've heard a lot of folks say that using standards can actually be harmful for our utility partners because every utility is going to be different. They live in different states, have different environments, different regulations. And therefore, we've seen a little bit of a push towards frameworks. What is something that is recommended? What's the baseline that you need? And how can we make sure that we're hitting the the absolute necessary pieces and leaving those that are still a little bit less prioritized for later? And one of the ways that the federal government initiated under the Biden administration last year in July 2023 is addressing this is through this voluntary Cyber Trustmark initiative. That was announced by the White House, and they're looking specifically to help Americans ensure that they're buying internet-connected devices that include strong cybersecurity protections against cyber attacks. And so this defines IoT devices within this program as those that have an Internet connected device capable of intentionally emitting RF energy that has at least one transducer, which is a sensor or actuator, for interacting directly with the physical world, coupled with at least one network interface, so WiFi or Bluetooth interacting with the digital world. And so this is mostly looking at fitness trackers, baby monitors, smart refrigerators, many of those that were previously perceived as weaker cybersecurity links. And this is mostly focusing on wireless consumer IoT products at first, as opposed to industrial or even medical devices. And that's an important distinction here because when this first came out, we were tracking it quite closely because in the exact same announcement, The Department of Energy was also named as an initiative to go work with the National Labs in developing a labeling requirement for smart meters and power inverters. And this, of course, would be quite interesting to us at Landis+Gyr as a leader of smart meters and grid edge intelligence. But I've been watching the market quite closely, and while I've seen millions and millions of dollars invested into clean energy cybersecurity, as well as research and development, we haven't seen something that specifically focuses on a certification and labeling program yet. There was 30 million announced quite recently to look at next generation tools for clean energy delivery. And one of those topics did include forensic analysis of infected smart meters and sensors. We've seen 23 million in October for distributed energy resources and virtual power plants, and even 250 million allocated over five years for rural and municipal utility cybersecurity planning, which includes training, workforce development, and other things. But we haven't seen something that specifically is looking at creating this labeling or certification system. Instead, the Cyber Trust Mark will create a a similar program to the Energy Star program, if you're familiar, which basically says that certain appliances are efficient and energy efficient and good for the grid or good to be interactive. The Cyber Trust Mark is going to include its own mark, a little shield with a QR code with easy to understand details. It will include some collaboration with the industry, including the National Institute of Standards and Technology or NIST, as well as some independent label administrators and testing labs, the Federal Communications Commission and others. This is going to be a pretty big deal for the consumer market, and obviously it's going to take a while to uptake as well. So the next phase where smart meters may be affected or influenced remains to be seen. And we are interacting with our government folks and advocating for stakeholder engagement. Before you go creating a framework or a standard, make sure that you're talking to the folks who are implementing the technology and supplying it. And so we intend to be involved when it comes about.
Klaus Mochalski
Okay, so this sounds very interesting. But if I understand correctly, the Cybertrust box certification, first is voluntary, and second is not planned to directly apply to smart meters, at least as of now.
Marguerite Behringer
That is true. But it does affect many of the technologies that smart meters will be interacting with, especially as we look towards more active demand response, low disaggregation in the home. Some of the folks that are impacted through the existing voluntary smart meter, or sorry, those who are impacted by the US Cyber Trustmark will include everything from Google technologies, Qualcomm, Samsung, Cisco, BestFi, Amazon. So all of these different folks are going to be affected, and that's going to interact with our smart meters, which will inherently, hopefully, drive the market towards a more secure structure.
Klaus Mochalski
Right. Understood. So if we look at smart meters from a, let's say, consumer perspective, would you wish for more regulation of smart meters? So would you wish for instance, that the Cyber Trust Smart Regulation would apply to smart meters, acknowledging that it's always a burden, like any regulation is always a burden to the manufacturers of these devices? Where's the balance? Is the situation perfect as it is today, or should there be some form of regulation for these very critical devices?
Marguerite Behringer
Well, no regulatory structure today is perfect. I can certainly say that. I think the mixture, the answer to this is a mix of pragmatism and forward-looking inspiration as well, because do I think that there needs to be some... Again, it's not a standard, but maybe a framework or specification around smart meter security, I think it certainly can't hurt. We design our smart meters to explicitly have our WiFi port separate from the metrology, which means that we don't need to go through our meter head-end system in order to connect user data to other systems, whether that's green button or a third-party application or energy management system. And that design was really intentional because we want to ensure that we're keeping some safeguards, we're making sure that the base function of the grid is never impacted by a breach in Wi-Fi or a breach in your banking information or something else on the home. And I think that that is an quality, and we've seen some jurisdictions actually already start to struggle. Colorado, in particular, has been struggling with the idea that direct data upload is an important possibility, an important function for both consumer sovereignty and choice, as well as just proper design. But unfortunately, it's a little bit hard to achieve. So I think that consumers and utilities alike ought to have a more secure system. But again, knowing that our customers are very hesitant to have more regulation rate, more costs, et cetera, I think that outlining best practices is usually a better mode and also informing folks, creating educational resources and understanding the risks that are inherent in choosing systems that don't have end-to-end cybersecurity. The Landis+Gyr portfolio does look at everything from the grid edge to the head-end to even OT security. We see it really important to bake in this fully-wrapped cybersecurity ecosystem. Without regulation, I think utilities have to question the risks themselves. Risk is a tough thing to quantify, whether we're talking about wildfire risk or cybersecurity risk. I do think that if nothing else, continued conversation should happen and research show. But I think that creating regulations for the distribution grid is inherently difficult because it's a state's rights issue, as we discussed earlier.
Klaus Mochalski
Yeah, right. Now I understand. And just thinking from a perspective of a smart meter customer, so the distribution network operators, wouldn't it be nice? I mean, it also takes a lot of effort as a vendor of these devices to explain how you as a vendor specifically implement security, like the separation of communication zones that you mentioned, the separation of zones, which is certainly best practice, and there are many more best practices, and there's a long list, and it can take some time to explain. Wouldn't it be nice from their perspective to have something like the Energy Star rating label, which is easy to read, from green to red, also referring to cybersecurity? Maybe it's not that easy, but at least it could provide some initial guidance.
Marguerite Behringer
Yeah, I think you have a great point. And it certainly could create some clarity for the market and create some confidence, no less in the kinds of products that you are creating. I think the difficulty just becomes who is regulating it, who is judging it, where is the money coming from for that labeling system? Then, again, how do you implement it on a state-by-state basis if it's a federal standard? There are some states that are still looking at their own cybersecurity structures. In fact, there are a couple of states that have IoT laws. California and Oregon have looked at IoT, creating rules for manufacturers to have reasonable security features, unique default passwords. And these provide a standard for the industry to follow. But nonetheless, creating something that is required for state distribution systems is difficult. But what could be great is if there was a framework, again, this voluntary opportunity, something that could be an optional sense of security and an optional certification. I think that could be great.
Klaus Mochalski
Right. If anything, we understand that the current situation is, let's put that way, quite volatile, and it's going to be interesting to see what changes we are going to expect over the next couple of months. It's going to be interesting. I think we also learned from the discussion today that cybersecurity is about much more than just the tactical perspective, but also the politics involved here is something that you always have to bear in mind And so the changes that we currently see to the government in US are certainly influencing this field. So thank you very much, Marguerite, for the interesting discussion. And maybe let's do a follow-up episode once some of the changes have been implemented and see where they go.
Marguerite Behringer
I think that's a great idea because as I told many of my colleagues when I recently did an election debrief, what we have are campaign promises and estimations But we also know that President-elect Trump is inherently a bit unpredictable. So we're definitely in for a wild ride, and it will be an interesting time. And I'd be delighted to come back and report on some of the changes he makes to the Department of Energy, cybersecurity, IoT. Ai is going to continue to be a big topic as well. There are also some pending pieces of legislation in Congress that may come back next year. We'll see, and I'd be happy to join again. Thanks for having me.
Klaus Mochalski
All right, let's do that. Let's watch this closely, and then thank you for being here.
Marguerite Behringer
Thank you so much. Bye.
